One of the many problems we have with the WordPress security company WordFence is that they are disclosing vulnerabilities in plugins with the key details of the vulnerabilities being held back. They are not doing that for a perceived security purpose, but so they can try to profit off of them by being the only firewall provider who protect against them. They certainly have a right to try to do that, but it doesn’t match with their claim that “security of … the greater WordPress community is of paramount importance to us” since those details are important to improving the security of WordPress plugins. One of the reason for that is that those details often lead to finding more vulnerabilities in the same plugins, in three instances we found that Wordfence had missed vulnerabilities related to the vulnerabilities they found and it would have been easier to find those if Wordfence wasn’t doing what they are doing.

Another important way the details help to improve the security of WordPress plugins is someone else can use the details of a vulnerability to find similar vulnerabilities in other plugins. One such instance occurred for us last week. Last week a persistent cross-site scripting (XSS) vulnerability was disclosed in the plugin Activity Log, which was caused by a failure to sanitize the value of the HTTP header HTTP_X_FORWARDED_FOR. After adding that vulnerability to our data set, we took a quick look at other plugins and found that similar issue exists in the current version, 2.2.1, of User Login Log plugin. [Read more]